How to perform a security architecture review at Level 2

If you are performing an application security verification according to the OWASP Application Security Verification Standard (ASVS) verification requirements, then you will need to perform an analysis of the application’s security architecture. The ASVS Level 2 security architecture requirements read in part:

“... the web application shall be defined by grouping its components into a high-level architecture … Components may be defined in terms of either individual or groups of source files, libraries, and/or executables. At Level 2, the relationship between components or groups of components need not be defined… At Level 2, the path or paths a given end user request may take within the application must be documented…”

The level of detail, and corresponding depth and breadth of analysis, is the same for ASVS Levels 2, 2A, and 2B. The above requirements can be met by performing three basic steps.

The next step is to organize web application and IT environment components identified into the previous step into a high-level architecture. One way to accomplish this is to draw a block diagram that can be understood without knowing, for example, Unified Modeling Language (UML).